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Abstract 

In this paper, we show how thread partitioning helps in proving prop- 
erties of mobile systems. Thread partitioning consists in gathering the 
threads of a mobile system into several classes. The partitioning criterion 
is left as a parameter of both the mobility model and the properties we are 
interested in. Then, we design a polynomial time abstract interpretation- 
based static analysis that counts the number of threads inside each parti- 
tion class. 



1 Introduction 

A mobile system is a pool of threads that interact with each other. These in- 
teractions dynamically change the system by controlling both the creation and 
the destruction of links between threads (by modifying the accesses to channels 
and/or modifying the spatial configuration). These interactions also control the 
creation of threads. The size of a mobile system may be unbounded. A mo- 
bile system may describe telecommunication networks, reconfigurable systems, 
client-server applications, cryptographic protocols, or biological systems. Sev- 
eral models exist according to the application field and the granularity of the 
observation level. 

We use abstract interpretation [TTJ [T3] to derive abstract semantics, which 
are sound, decidable, but approximate. We use partitioning [TJl [S] to sepa- 
rate the threads according to dynamical information. The partitioning criterion 
depends on both the model and the properties of interest. In models based 
on channeled communications (as in the 7r-calculus |29j). we can partition the 
threads according to the name of the channel they operate on. In models with 
explicit locations (as in ambients [3]), we can partition the threads according to 
their location in the system. When there are both channeled communications 
and locations (as in D-7T [36] or in Bio- ambients [35]), we partition the threads 
according to both the channel they operate on and their location. In more com- 
plex cases, the partitioning criterion may be given manually. For instance, in 
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the spz-calculus, channels are not relevant, so we partition the threads according 
to the principals that share a session [22, p:269] thanks to some end-user's an- 
notations. Nevertheless, we believe that a better understanding of the problem 
should allow the automatic inference of these annotations. 

Our analysis then counts automatically the number of threads inside each 
partition class. To get an accurate analysis, we have to relate, for each compu- 
tation step, the partition classes of the threads that interact and the partition 
classes of the threads that are created. When analyzing mobile ambients [55] . 
these relations are given by the model. This is not the case in less structured 
models, where a non uniform (i.e. that distinguishes recursive instances) anal- 
ysis [HI [201 12H 122j of the dynamic linkage between threads is required. To 
make contents analysis and non uniform analysis collaborate, we locally parti- 
tion computation steps [28] according to some assumptions about the partition 
classes of the threads that interact. Then, we use a coalesced product between 
both analyses, so that if one detects that some assumptions are contradictory, 
the other ignores the corresponding interaction. 

We apply our framework to prove automatically the absence of race con- 
ditions in a shared-memory with dynamic allocation written in the 7r-calculus. 
We also analyze precisely the relation between the contents of an ambient and 
its location in the network. In the author's PhD. Thesis [22] , we prove an au- 
thentication property [3] in a cryptographic protocol 38 in the spi-calculus 
&■ 

Outline. We discuss related works in Sect. [2] We detail the contribution of 
this paper in Sect. [3] We give some examples in Sect. [4j We give in Sect. [5] 
a non-standard semantics for the 7r-calculus. We define both thread and step 
partitioning in Sect. [6] We derive a generic abstraction in Sect. [7] We give an 
environment analysis in Sect. [5] and a contents analysis in Sect. [HI 

2 Related works 

In this section, we discuss some related works. 
2.1 Control flow analyses 

Our analysis requires an accurate description of the potential interactions be- 
tween the agents. Many type systems [25] and control flow analyses [5] [3] 
propose a uniform description of these interactions in which recursive instances 
cannot be distinguished. In [211 HB1 EQj , we proposed non- uniform control flow 
analyses, which distinguish between recursive instances of names. All these 
analyses abstract away the properties about concurrency. 
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2.2 Groups 

Groups [HI [7] are used in type system to prevent certain communications. Re- 
cursive instances of groups are distinguished. The communication of a name 
outside the initial scope of its group is forbidden. On the contrary, our analysis 
computes relationship between the partition classes of interacting threads. So 
we can analyze systems where a name first exits the scope of the thread that 
had declared it and then returns inside this scope. 

2.3 Numerical domains and concurrency 

Numeric analyses are widely used to analyze concurrency properties such as mu- 
tual exclusion and non-exhaustion of resources. Disjunctive completion-based 
domains are used in [32] to count globally the components in ambients and in 
[331 124] to count the components inside each ambient. These domains ignore 
the algebraic structure of numerical properties. Consequently, these analyses 
are exponential in time. In [211 US] > we use affine equalities to count the threads 
of 7r-calculus systems in polynomial time. This analysis counts threads glob- 
ally, regardless of their linkage. In the present paper, we use information about 
the dynamic linkage of threads to gather threads in partition classes. Then 
we count the number of threads inside each partition class. Our approach is 
model-independent [22]. Besides, we can detect and prove history-dependent 
and spatial-dependent properties (e.g. see Ex. 14.6ft . 

2.4 Behavioral types 

Behavioral types can express complex concurrency properties such as the ab- 
sence of race conditions. But, in 26 , some properties involving several names 
cannot be checked because of the abstraction (e.g. see Ex. 14.21) . The type sys- 
tem in |34[ HOj can express and check more properties, but the type checking 
algorithm does not always terminate, whereas our inference algorithm does in 
polynomial in time. Moreover, our occurrence counting and control flow anal- 
yses refine each other thanks to local trace partitioning. In Ex. 14.31 we cannot 
analyze precisely mutual exclusion without the help of a precise control flow 
analysis. 

3 Contribution 

In this section, we describe the main contributions of this paper. 

This paper is a summary of the framework proposed in [22[ Chap. 10]. This 
framework is generic with respect to the model. In this paper, we focus on 
systems that are written in the 7r-calculus. The main contributions of this 
paper are the following: 

1. thread partitioning: in this paper, we partition the threads of a mobile 
system according to some semantics criteria; 
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2. local trace partitioning: then, we provide an extended labeled transition 
system in which each computation step is annotated with information 
about the partition classes of the threads that interact; this allows several 
analyses to share information about the partition classes of the threads 
that interact; 

3. control flow analysis: we refine existing analyses [TS1 [2131 |2"T1 12"2"] so as to 
take into account the constraints about the partition classes of the threads 
that interact; 

4. content analysis: we propose a new analysis to count the number of 
threads inside each partition class; this analysis is parametric with re- 
spect to a numerical domain (we use the same domain as in the occur- 
rence counting analysis [TH1 [HI H2] that counts the number of threads in 
the whole system). 

4 Examples 

In this section, we give some examples to motivate our framework. 
4.1 Our running example 

First, we introduce an example that is easy to analyze: we prove that there 
are never two simultaneous outputs over the same channel in a shared memory 
written in the 7r-calculus. We give a manual proof in order to stress the prop- 
erties that are useful during the analysis. The goal of this example is just to 
understand how the analysis behaves: we use this example all along the paper. 

We use a version of the 7r-calculus inspired from [251 [37J • Let V be an 
infinite set of variables and £ be a finite set of labels. Let c, x, y £ V be some 
variables, I £ C be a label, and x £ V* be a tuple of variables. The agent (P \ Q) 
denotes the parallel composition of two agents P and Q. It performs P and Q 
simultaneously. The agent (y x)P binds the variable a: to a fresh channel name 
in P. The agent docs nothing (it is usually omitted). The agent c\ l [x].P sends 
a message (i.e. a tuple of channel names) via the channel the name to which the 
variable c is bound. The agent c? l \x].P waits for a message on the channel to 
which the variable c is bound, and binds the tuple x of distinct variables to the 
received names. The agent *cr\x].P is a resource which replicates itself when 
receiving messages. Name restriction [y x)P and message reception cl l \x].P 
or *c? l [x].P are the only variable binders. We denote by fv(P) the set of the 
variables that are free in P. Labels help in locating syntactic components. 
Moreover, the notation * P stands for [y reci)(reci\ l [) | * reci? 1 [].(req!* [] | P)) 
where I, V, and I" are fresh labels, and reci £ fv(P): it denotes an unbounded 
number of concurrent instances of P. 

Example 4.1 (a shared memory) A shared memory with dynamic alloca- 
tion of cells may be described in the ix-calculus as follows: 
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[y alloc) (v null) 

( *alloc? 1 [address]. (v cell)(f read)(^ write) 

( cell! 2 [null] | address^ [read, write] 

| *READ? 4 [>rf]-cell? 5 [m/].(cell! 6 [va/] | fwS7[vat\) 

| *WRlTE?>a/', acfc]. cell? 9 H.(cell! 10 [W] | ackl 11 ^)) 
| * 12 {v add)al\oc\ 13 [add].add? li [read, write}. 

( * 15 [v return ) read). 16 [return ] . return ? 17 [x] 

\* 18 (v data){v ack) writel 19 [data , ack].ack? 20 [])) 

Whenever a message is sent via the channel name declared by the restriction 
{v alloc) (at program point 1), a memory cell is allocated. Three names are 
introduced. The name cell encodes the contents of the memory cell: the con- 
tents of the cell are always output once over the channel named cell (the name 
null denotes the initialization value); the names read and write encode re- 
spectively the capability to read and to overwrite the contents of the cell. The 
client is given the capability to interact with the cell (at program point 3). The 
memory can deal with an unbounded number of read ( at program point 4 ) and 
write (at program point 8) requests. A read request requires a return address 
to which the contents of the cell are forwarded (please note that we copy the 
contents of the cell once, so as not to lose them). A write request requires two 
arguments, the new contents and an acknowledgment address: the cell contents 
are first removed and then replaced with the new contents, the acknowledgment 
controls client requests sequentiality. An unbounded number of clients are cre- 
ated ( at program point 11). Each client creates a cell and performs an arbitrary 
number of read (at program point 15) and write (at program point 18) requests. 

We want to prove that there is never more than one simultaneous output 
on any channel c opened by an instance of the restriction {y cell). First, we 
propose a manual proof to give intuitions about our framework. The analysis in 
this paper discovers this property automatically. Let us denote by M the set of 
the names introduced by an instance of the restriction (y cell), we will prove 
that at any configuration of the system and any name c E M: there is either no 
thread, or exactly one output (at program point 2, 6, or 10 ) on the corresponding 
channel. For any configuration C and any name c E A4, we define y(C, c) as 
whenever the name c has not been allocated yet, and as 1 otherwise. We 
denote by Xi (C, c) the number of threads at program point i that operate on the 
channel named c. Now, we prove by induction over the history of the system 
that 22 (C, c) +xq(C, c) +xio(C, c) — y(C, c) — 0. At the beginning of the system, 
we have, for any c E M, x 2 (C, c) = x 6 (C, c) = x w {C, c) = y(C,c) = 0, so the 
property holds. When two threads at program points 1 and 13 interact, a fresh 
name c is allocated. Since this name is fresh, we have, before the interaction, 
X2(C,c) — x e (C,c) — x w (C,c) — y(C,c) = 0; after the interaction, we have 
X2(C, c) = y(C, c) = 1 and Xq(C,c) = X\q{C,c) = 0. This way, the property 
still holds. We now consider an interaction between a thread U at program 
point i E {5; 9} and a thread tj at program point j E {2; 6; 10}; this interaction 
launches a thread at program point i + l. We consider several cases according to 
the relationships among the channels on which these three threads operate. There 
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are 5 cases: they may operate on the same channel, on two distinct channels 
(three cases), or on three distinct channels. We use a control flow analysis to 
detect which cases are possible: we detect that the only possible case is the case 
where the three threads operate on the same channel c. During the transition, 
Xj is decremented and Xi + ± is incremented (xj is not changed when j = i + 1 ), 
so the property of interest still holds.d 

4.2 More complex examples 

In this section, we describe more complex examples in order to illustrate some 
difficulties that can be tacked by our analysis. 

Example 4.2 (related names) Our analysis can abstract the usage of several 
names together. We consider the following system ( adapted from '261 ) in the 
ir-calculus: 

(v b) (sb? 1 ^, c', c"].{v l){v m)(i/ r) 

(l! 2 [] | c! 3 [l] | c'! 4 [m] | c"! 5 [r] | * 6 m? 7 [].r! 8 []) 
|*V c){u c'){v c")(b! 10 [c,c',c"]. 

The server (at program point 1 ) creates several objects. Each object is made of a 
lock 1, a method m, and a return address r. Each session (at program point 15 ) 
consists in locking the method, calling the method, receiving the returned value 
(which is abstracted away), and then releasing the lock. There is an unbounded 
number of clients (at program point 9). Each one creates an object (at program 
point 10 ), receives the lock, the method, and the returned address during three 
channeled communications, and performs an arbitrary number of sessions (at 
program point 14). We partitioix] the threads according to the recursive instance 
of the resource that has declared the name of the channel on which each thread 
operates. Our analysis detects and proves that there can never be more than 
one simultaneous call of the same method. This result is beyond the reach of 
f261j , because the names 1, m, and r are not communicated during a single 
communication. □ 

Example 4.3 (control flow dependence) We now illustrate the importance 
of the control flow analysis. We describe a doubly-linked list of cells as follows: 

(v rec){v \q)(v c )(v t q )(u set) 
(red 1 [1 , c , r ] 

| *rec? 2 [l„,c„,r„].(^ l„+i)(i/ c n+ i)(p r n+i ) 

(rec! 3 [l„+i,c n+ i,r n+ i] | c„! 4 [] * 5 SEt! 6 [1„, c„, r„] 

| * 7 l n+ i! 8 [l n , c„,r„] | * 9 r„! 10 [l n+ i, c„+i,r n+ i]) 
| * SET? n [l, c, r].r? 12 [l', c', r'].l'? 13 [l", c", r"].c? 14 [].c"! 15 []) 



1 This partitioning is made possible in the non-standard semantics where each name is 
tagged with the identifier of the thread that has declared it (see Sect. [5j. 
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Each cell is encoded by three names: the name 1„ encodes a backward pointer 
to the previous cell, the name c n encodes the cell address (the contents are 
abstracted away), and the name r„ encodes a forward pointer to the next cell. 
Each cell is output on the channel named SET (at program point 6). Then, at 
program point 11, we pick a cell. We collect its address c, we follow the forward 
pointer, then we follow the backward pointer, and we collect the address c" of 
the reached cell. The control flow analysis U8}/ detects that the addresses c and 
c" are the same. This information is passed to the occurrence counting domain 
thanks to the local trace partitioning. Thus, we prove automatically that there 
is no simultaneous outputs over an instance of a channel named c n . 

It may look a bit curious to use two variables for the same name. But, these 
kinds of things are common in automatically generated systems. With a more 
general point of view, this difficulty is similar to the problem of aliasing in data 
structures. □ 

Example 4.4 (a 2-semaphore) Our analysis is not limited to the detection 
of mutual exclusion. In the following example: 



our analysis detects automatically that there are never more than two simulta- 
neous outputs over an instance of the channel a. Besides, our analysis detects 
and proves the number of simultaneous outputs without requiring a bound on the 
number of copies that have to be distinguished by the analyzer. □ 

Example 4.5 (synchronous communications) Content analysis can also re- 
fine the control flow analysis. In the following system: 



the content analysis detects that, for each instance, the thread at the program 
point 2 ( resp. 6 ) and the thread at the program point 3 ( resp. 5 ) are in mutual 
exclusion. The control flow analysis uses this information to prove that the 
variable u (resp. v) can only be bound to a channel opened by the restriction 
(v c) (resp. (yh)). □ 

4.3 An example in mobile ambients 

Our last example is written in another process calculus to illustrate that our 
framework is generic. 

In mobile ambients [9] , a system is described by a hierarchy of named sites 
n'[P], called ambients (n is a name, I is a label, and P is a process). Ambients 
may contain some other ambients and some agents in l n.P/ out .P j open l n.P that 
provide them the capability to move in the hierarchy of ambients or to open 
some ambients (when an ambient opens another one, the former ambient gets 
the contents of the later). These interactions are controlled both by ambient 
names (the name of the target ambient and the name occurring in the capability 




(*V a)(i/b)(i/ c)(a! 2 [b].a? 3 [it]. M ! 4 [ M ] | a? 5 [u].a! 6 [c].t;! 7 [u])), 
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must be the same) and by spatial constraints. These interactions are described 
by the following reduction rules: m t [m k n.P \Q] | n?[R] ^ n^m^P \ Q] \ R], 
n3[m l [out k n.P Q] \ R] ^ m l [P \Q] \ n j [R], and operin.P \ nP[Q] -H P | Q. 
Ambients are also fitted with communication primitives: the agent (x) l .P waits 
for a message (that can be either a name or a capability path), whereas the 
agent (y) 1 sends a message. These communications are not channeled because 
threads can communicate only when they are in a same ambient. Both ambients 
and ambient names can be created dynamically. As in the 7r-calculus, we use 
guarded replication: the agent \(x) l .P duplicates itself when receiving a message 
and the agent lopen l n.P duplicates itself when opening another ambient. 

Example 4.6 (the contents of an ambient) A client-server protocol may be 
described in the ambient -calculus as follows: 

(y make)(r/ server) {y giveJd)(^ instance) [y client) 
(server 1 [ ! open 2 give_id.O 

| ! (k) 3 .instance 4 [m 5 k. out 6 server. in 7 client .0]] 
| client 8 [ !(x) 9 .((^ p)p 10 [ out 11 client. | open 12 instance.O 

| m 13 server.giveJd 14 [owi 15 p. < p > 16 ]] 
< make > 17 ) | < make > 18 ]) 

In this protocol, some packets are created (at program point 10). They are ini- 
tially located in the ambient client 8 [•]. Each packet is identified by a fresh 
name p. The packet contains some routing information to enter the ambi- 
ent server 1 [•]. Once inside the server ambient, the packet expels an ambient 
giveid 14 [•] in order to communicate the name of the packet to the server. The 
server may open this ambient ( at program point 2 ), receive the name of the 
packet ( at program point 3 ), and create an ambient ( at program point 4 ) that 
enters the packet. Then the packet opens (at program point 12) this ambient 
to receive the capability to return inside the ambient client 8 [•] . In this exam- 
ple, we abstract away what is happening to the packet while it is in the server 
domain. 

We partition the threads (both agents and ambients ) according to their loca- 
tion and the location of their surrounding ambient. Then, we count the number 
of threads inside each class of the partition. Our analysis discovers the con- 
tents of the packet according to its position in the network. For instance, we 
detect that whenever the packet is inside the ambient client 8 [•] : it contains 
only threads at the program points 4, 11, 12, and 13; moreover, either there is 
exactly one thread at each program point 11, 12, and 13, or no threads at these 
three program points. Similar information are inferred for the other potential 
locations of the packet. We notice that our analysis loses all information about 
the number of threads at program point A, because it cannot infer that for a 
given packet, only one instance can receive the name of the packet. But since 
we detect that only one can be opened, this has no influence on the inference of 
the other properties. As in Ex. \4-l\ we require an abstraction of the local history 
of each packet to reach this accuracy level: we count the number y\ of each kind 
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A of transition, we also consider the variables z\ that are defined as z\ — if 
y\ = 0, and z\ = 1 otherwise. □ 

5 Non-standard semantics 

To prove the properties that interest us, we need to distinguish recursive in- 
stances of threads. Standard semantics are not convenient, because the a- 
conversion breaks the relations between the threads and the name of the chan- 
nels that they open. In this section, we recall a non-standard semantics |18[l2Tl 
22 . This semantics is more concrete: each thread is annotated with information 
about both its history and the history of the names that it handles. 

5.1 Notations 

We consider a closed mobile system S (i.e. f v(S) = 0) in the 7r-calculus. We may 
assume that each variable is bound exactly once in the system (either by a name 
restriction or by an input) . We may also assume that syntactic components are 
labeled with distinct labels. For any label I £ £, we denote by comp(Z) the sub- 
process the first action of which is labeled with I. We define type(Z) as input if 
comp(Z) matches cl l [x\, . . . , x n ].Q, as output if comp(Z) matches c! ! [xi, . . . , x n ].Q, 
and as fetch if comp(Z) matches *c? l [xi, . . . ,x n ].Q. Besides, with the same no- 
tations, we define chan(^) := c, arg(Z) := [xi, . . . , x n ], and cont(Z) := Q. For 
any process P, we define the set f3(P) of the labels of the threads that are 
launched in P, f3(P \ Q) := (3(P) U /3(Q), j3((v x)P) := (3(P), (3(0) := 0, and 
P(cl l [x 1 ,...,x n ].P) :=p(c? l [x 1 ,...,x n ].P) :=[3{*cl l [x u ...,x n ].P) := {I}. For 
any label I, we denote by 1(1) the set of the variables that are free in the threads 
at program point I. Thus, we define I(/) as f v(comp(/)). 

5.2 Semantics 

We define a non-standard semantics in which both threads and channel names 
are tagged with the history of their creation. History markers id £ C* are 
sequences of labels in C. Markers encode the history of the replications which 
have led to the creation of thread instances. The markers of initial threads are 
e. When a computation step does not involve fetching a resource, markers are 
just passed to the continuations; when a resource is fetched, the new instance 
is tagged with h.id\ where l\ and id\ are respectively the label and the marker 
of the output thread. 

Then, we stamp each name with the marker of the thread which has declared 
it. Thus, a channel name is a pair (x, id) composed of a variable i£V and a 
marker id € C* , which means that this is the name of the channel that has been 
opened by the restriction (v x) of a thread tagged with the marker id. 

A configuration of the system S is a set of thread instances. Each thread in- 
stance is a 3-tuple composed of a label I G C that denotes a syntactic component, 
an unambiguous marker id £ £*, and an environment E G 1(1) — > V x C* which 
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1 := launch^, e, 0) 

(a) Non-standard initial configuration. 



' E ? (chan(lt)) = Ei(chan(h)), 
type(Z?) = input, type(7i) = output, 

< [yi,...,y n ] :=arg(Z ? ), [x 1 ,...,x n ] := arg(Zi), 
C£? := launch(cont(Z?), id?,E?[yk i— > -Et(:r/c)]), 
Cii := launch(cont(Z!), -Ei), 

CU{(/ ? ,id?,£; ? );(Z ! ,?d ! ,£; ! )} (i -^ ) (C*U C< ? U Ct,) 

'^ ? (chan(/?)) = ^(chan^i)), 
type(l?) = fetch, type(Zi) = output, 

< [yi,...,y„] :=arg(Z ? ), [xi, . . . ,x„] := arg(Zt), 
Ct? := launch(cont(Z?), Zt.idt, E-?[yk > E\(xk)]), 
Ct\ := launch(cont(/i), id\, E\), 

C U {(/?, id?, £?); (it, 1(4, EOl'^^C U {(/?, id?, Ej)} U Ct? U C%) 

(b) Non-standard transition system. 

Figure 1: Non-standard semantics. 

specifies the channel names to which free variables are bound. Thread instances 
are created at the beginning of the computation and when agents interact. The 
function launch applied to a subprocess, a marker, and an environment, col- 
lects all the threads that are spawned when a continuation is launched: we set 
launch(P, id, E) := {(l,id,E t ) | I € (3(P)}, where, E x e l(Z) -)Vxf maps 
any x <E 1(7) R Dom(E) to E(x), and any x € \ Dom(E) to (x, id). This 
simulates name restriction by binding any new variable x to the name of the 
channel opened by the restriction (y x) of a thread the marker of which is id. 
The initial state and computation rules are given in Fig. [TJ The correspondence 
between the non-standard and the usual semantics is proved in |211 122] . 

Example 5.1 (the shared memory (cont.)) We apply our non-standard se- 
mantics with our shared memory example (see. Ex. We obtain the initial 
state Cq — {ti;t2',t3} where: 

t\ = (1, e, [alloc i— > (alloc, e), null ^ (null, £•)]), 

t 2 = (12, e, [reci2 h-> (rec 12 ,e)\), and 

*3 = (12', e, [alloc i— > (alloc, e), reci2 i— > (rec\2,e)]). 

The thread t\ is a resource that can allocate memory cells, the thread t% can 
interact with the thread t^ to create clients recursively. Since these three threads 
are in the initial state, their thread marker is e. 
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We create a first client by making the threads i 2 and £3 interact. We obtain 
the state C\ = {t\\ ts; t±\ t^}, where: 

t 4 = (12", 12, [reci2 >-> (reci 2 , e)]) and 

t 5 = (13, 12, [alloc i-> (alloc, e),add ^ (add, 12)]). 

The thread £4 allows the creation of further clients and the thread t§ describes a 
client that can allocate a memory cell. We create a second client by making the 
threads £4 and t 3 interact. We get the state C 2 = {ii; £3; H; te; tj}, where: 

t e = (12", 12". 12, [rcc 12 i-> (rec 12 ,e)]) and 

t 7 = (13, 12".12, [alloc 1 ► (alloc, e),add ^ (add, 12". 12)]). 

The thread te allows the creation of further clients and the thread t? describes the 
second client. Both clients are identified by their thread markers 12 and 12". 12. 
Besides, the link between threads and the channel names that they handle is 
explicit: the thread ts can operate on the name (add , 12), whereas the thread tr 
can operate on the name (add, 12". 12). □ 

6 Thread partitioning and trace partitioning 

In this section, we first partition the threads of the system in several parti- 
tion classes. Then we partition computation steps according to some relations 
about the threads that are involved. As a result, we obtain an extended labeled 
transition system. 

6.1 Thread partitioning 

Let B be a finite set of keys. Our analysis is parameterized by a function 
getvar mapping each program point label I to a function in B — > 1(1). Then, 
we partition the threads t = (I, id, E) in a configuration according to the value 
S(getvar(Z)(6)) of the variable getvar(Z)(&) for each key b G B. We can also 
partition threads according to the markers of their names (we focus on parti- 
tioning according to full names to simplify the presentation.). For example, to 
prove the absence of race conditions, we gather the threads that operate on the 
same channel (we define B as {6} and getvar(Z)(6) as chan(Z)). In ambients, 
we partition threads in accordance with their location and the location of their 
surrounding ambient (thus, B contains two keys). We know that: whenever two 
threads are in the same ambient, the location of their surrounding ambient is 
the same (partitioning the threads also according to the location of their sur- 
rounding ambient allows for a more precise partitioning at the abstract level). 
We denote by B s C B a set of keys, such that: for any configuration C, for 
any threads t\ — (p\,idi,Ei) and t 2 = (p 2 , id 2 , E 2 ) in the configuration C, if, 
for any b G B s , _Ei(getvar(pi)(6)) = S 2 (getvar(p 2 )(b)), then, for any b G B, 
£i(getvar(pi)(6)) = E 2 (get var(p 2 )(&))• This implication will be useful when- 
ever we know that two threads arc in the same configuration but in distinct 
partition classes. 
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Each partition class is identified by a function / € B — ► V X £*, called 
computation unit. We denote by unit the set B — » V x C* of all computation 
units. There may be an unbounded number of computation units. We gather 
them into a finite set of abstract computation units by abstracting away the 
information about markers: we define the set unit" of abstract computation 
units as B — > V. The abstraction function a UNIT maps each computation unit 
[(b G B) I— > (Z fc , idh)] G unit to the abstract one [b h-» l b ] G unit". 

6.2 Local trace partitioning 

We consider a computation step t — (C l —i ) C). We denote by t? — (I?, id?, E?) 
and by t\ = (l\,id>,E\) the threads that interact in the computation step r. 
The thread i? launches one thread for each label I in the set /3(cont(Z?)) and 
the thread ii launches one thread for each label I in the set /3(cont(Zi)). We 
denote by n? the cardinal of the set /3(cont(/?)) and by ni the cardinal of the 
set /3(cont(Zi)). Thus, the computation step r involves 2 + n? + n\ threads. Each 
of these threads is denoted by a pair (7,o) G C x {?; !} where I is the label of 
the thread program point and o is equal to ? when this thread is related to the 
input thread or to ! when this thread is related to the output thread. This way, 
we denote by T(l?,h) the set {(Z,o) o G {?; !}, I G {k} U /3(cont(7 ))}. 

To get a more precise analysis, we partition the set of computation steps ac- 
cording to some properties about the computation units of the threads that are 
involved in these computation steps. We denote by CONTEXT(7?, l\) the set of 
pairs (~,j4) such that ~ is an equivalence relation^ in p(T(l?,l\) 2 ) that relates 
the threads that share the same computation unit and A G (T(l?, — > unit" 
maps each equivalence class to its abstract computation unit. Intuitively, the 
relation (ii, Oi) ~ (h, 02) means that the thread denoted by the pair (h,oi) and 
the thread denoted by the pair (^2,02) are in the same computation unit; more- 
over, A([{l,o)]^) is the abstract computation unit of the thread denoted by the 
pair (l,o) . More formally, we denote by unit T the function which maps any pair 
(I, o) G T{h, I]) to the computation unit of the thread denoted by the pair (I, o). 
Then, we define the abstraction function a STEP which maps each computation 
step to its partition case as: a STEF (T) :— (~, [[a]^ <— > a VN1T (unit T (a))]), where ~ 
is defined as a ~ b if and only if unit T (a) = unit T (b). 

7 Abstraction 

In this section, we use the abstract interpretation framework [TTJ [13] to design 
a generic abstraction of transition systems. 

2 Given an equivalence relation ~ over a set A, [a]~ denotes the equivalence class {b S 
A I a ~ b} of a and A^ denotes the set | a £ A}} of equivalence classes. 
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7.1 Reachable states 



We denote by C the set of all configurations, by £ the set of pairs in Uag£ 2 x 
CONTEXt(A), and, for any finite set V C V of variables, by £(V) := C* x (V — > 
(V x £*)) the set of marker/environment (over V") pairs. We are interested in 
C(S), the set of all configurations that are reachable through a finite computa- 
tion sequence. The set C(S) is the least fixpoint of the U-complete endomor- 
phism F on the complete lattice p(C), where F is defined as [X i— > X U {C £ 
C | 3C £ I, 3A £ E, C^+C 7 }]. This least fixpoint is usually not decidable, 
so we use a relaxed version of the abstract interpretation framework |15j to 
compute a sound — but not necessarily complete — approximation of it. 

7.2 Generic abstraction 

We choose an abstract domain, which is a set of abstract symbolic properties 
about configurations. It captures the properties of interest and abstracts away 
the other properties. Each abstract property is mapped to the set of the concrete 
elements which satisfy this property by a concretization map 7 G C" — > p(C). 
The abstract domain is fitted with several primitives to handle its elements. 
An abstract union U £ pflnitc(C) — ► C* gathers the information described by 
several abstract elements. It satisfies: Va" £ A\ 7(0') C 7(U(A")). We also 
need an abstraction X* £ C* of the initial configuration (i.e. I G 7(2*)). To 
simulate computation steps in the abstract, we introduce an abstract operator 
POST £ C" xS^C*. This operator partitions each transition into several sub- 
cases: given an abstract property C" € C" and a sub-case A = (A, context) £ S, 
the set 7(post(C", A)) contains all the states C G C that are reachable from 
any state C G 7(C) by a computation step r = C^+C such that context = 
<Xstep(t). An abstract element _L such that 7(-L) = provides the basis for 
our abstract iteration. Finally, we use a widening operator V : C* x C" — > C" 
to ensure the termination of our analysis. It satisfies VCj, G C* 1 , 7(Cj) C 
7(C|VC|) and C 7(C}V(7|); moreover, for any sequence (C„) G C» N , the 

sequence (Cj) that is defined by Cj 7 := Co and Cj +1 := VC„ + i for any 
n > 0, is ultimately stationary. We do not use narrowing because, we iterate 
only functions / G C" — > C" that satisfy: 7(a) C y(f(a)). 

Definition 7.1 ^ny iwpZe (C", U, J_, 7,X", POST, V) t/iai satisfies these assump- 
tions is called an abstraction. 

Given an abstraction A = (C', U, _L, 7,2"", POST, V), we define the abstract 
counterpart F^ of the function F as the function that maps any abstract element 

G & to the abstract element U({post(C", A) | A G £} U {I 1 *}). The function 
Fi satisfies the soundness condition VC» eC*,Fo 7 (C ti ) C 7 o F^C 11 ). 

Then, we extrapolate the iterates of F^. We define the abstract iteration 
[133 [H] of Fi as Tl := _L and := ^VFl(^) for any n > 0. The 

abstract iteration (JF^)„ gN is ultimately stationary. Moreover, its limit [<S]^ 
satisfies C(S) C 7([<S]^) because F is monotonic. 
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7.3 Coalesced product 

Several abstractions can be composed to refine each other. We consider two 
abstractions: 

Ai = (C},Ui,±i,7i,2},POSTi,Vi), and 
A 2 = (Ci,U2,± 2 ,72,j|,POST 2 ,V 2 ). 

We define the coalesced product between the abstractions A\ and A2 as the 
tuple (C*,U,-L, 7,1", POST, V), where the domain & is defined as Cf X Cf; 
the concretization 7 is defined as the intersection of the two concretizations 
(i.e. 7(0., b) := 71(a) ("172(6)); the abstract union U, the element JL, the widening 
operator V, and the abstraction X" of the initial state are all defined pair- 
wise; the abstract element POSt((Ci, C 2 ), A) is defined as _L whenever either 
posti(Ci,A) = ±1 or post 2 (C 2 ,A) = _L 2 , and as (posTi(Ci, A), post 2 (C 2 , A)) 
otherwise. The coalesced product between Ai and A2 is also an abstraction. 
We stress on the fact that the coalesced product is more powerful than a mere 
product. Thanks to the extended labeled transition system, several analyses 
can share constraints about the threads that are involved in computation steps. 
This way, analyses refine each other. 

We use our framework with the coalesced product between an analysis of the 
dynamic linkage between threads (Sect. [5]) and an analysis of each computation 
unit contents (Sect. [5]). 

8 Environment analysis 

We design an analysis of the dynamic linkage between threads. This analysis 
aims at capturing the relationship between the computation units of the threads 
that are involved in computation steps. 

8.1 Abstract domain 

Our goal is to map each program point label to an abstraction of the set of 
the marker/environment pairs which may be associated to any thread at this 
program point at run-time. So, we introduce for any set of variables FCVa 
parametric abstract domain Atom(V) of properties. The concretization 7y(a) 
of a property a G Atom(V) is a set of marker/environment pairs m in p{£ (V)). 
The operator U v maps each finite set of properties to a weaker property: for 
each finite set A C Atom(V), Va G A, Jy(a) C 7 v (UyA). The element L v 
is an abstraction of the empty set (i.e. we assume that 7y(J_y ) = 0). The 
operator \7 V is a widening operator [16j . Then, our main environment abstract 
domain C| nv is the set of the functions that map each program point label I G C 
that occurs in the system iS to an element in Atom(l(l)) . The domain structure 
(U cnv , _L cnv , and V cnv ) is defined point wise. The abstract domain C| nv is related 
to p(C) by the concretization function 7 cnv that maps each abstract property 
/ G C| nv to the set of configurations C G C such that V(Z, id, E) G C, (id, E) G 
7i(0(/(0). 
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Example 8.1 (labels and equalities) We propose a simple cfa domain to 
analyze the shared memory example (see Ex. \4-l\ l- In this example, the names 
that occur in computation units are never communicated. As a consequence, 
equality among variables ]2(A Sect. 5.1.1] and a uniform approximation of the 
control flow J31 0/ are enough. In general, numerical abstractions of markers 
1 181 [Wij are required. All these analyses JH [13 ESF are polynomial time. 

Given a set K, of variables, we introduce the abstract domain ^F(JC) as the 
set -Ljr(je) W ((£ i * p{£)) x p(fc x {=;7^} x K>))- Each abstract element e G 
^"(/C) denotes a set 7jr(X)(e) C /C i— > C x C* of functions. More precisely, 
7^(/c)(-L^(K)) = and 7jf(k)(/,c) = {g | V(ar,o,j/) e c, g{x) O g{y) and Vx € 
/C, Bid G £*, = (f(x),id)}. This way, in the abstract element (/, c), </ie 

function f describes constraints about the label of values and the set c describes 
constraints about equality and inequality relations among values. 

We define a partial order Q^t/c) over T(1C) as: J_ Qy^t/c) x, for any x G 
TiJC), and (fx, ci) Q^i/c) (/2, C2) «/ and only if both f\(x) C /2(a;) and C2 C c\. 
We notice that the concretization J^(fc) is monotonic with respect to Qyr^. 
Several abstract elements may have the same concretization, nevertheless, for 
each abstract element e G ^(/C), the set of the elements e' G J-{K) such that 
lF{K){ e ) — 7j^(K)( e ') has a least element that we denote p(e). The element p(e) 
is called the normal form of e. We denote by .F n (/C) the set {p{e) \ e G J-(IC)} 
of all normal forms. We denote by Ejr n( x) the restriction of C^nt) t° ^(IC). 
Each subset A C .F n (/C) has a least upper bound with respect to Q^r/Cj, that we 
denote by U^^) . 

The domain J- n {V) is a good candidate for Atom{V). We also set 7y := 
[a C* x 7F-„(y)(a)], U v ■= U.^ n (y) } and ± v :— -Lp(v)- Since F n {V) is a 
finite domain, we define the widening operator \7 V as aV v b :— Ujr tl (y){a; b}. □ 

Now, we simulate the non-standard semantics in the abstract. 
8.2 Initial state 

At the beginning of the concrete computation, the configuration contains one 
thread at each program point the label of which is in the set (3(S). Thread 
markers are e and environments map each free variable x to the name (a;, e). 
In the abstract, we require two primitives. First, the abstract property e% G 
Atom{%) is the abstraction of the pair (e, 0). This means that: {(e, 0)} C 7 (£0). 
Then, the primitive v* simulates name allocation. Let V be a set of variables 
and x G V \ V be a fresh variable. The primitive v\ is a function in Atom(V) — > 
Atomiy U {x}) and, for any abstract element a G Atom(V), the concretization 
7yu m contains at least all pairs (id,E) G £(F U {a;}) such that (i) 
(id,E lv ) G 7 v(a), (ii) E(x) = (x, id), and (iii) Vy G V,J5(y) 7^ E{x). 

Example 8.2 (labels and equalities (cont.)) In our simple cfa domain (see 
Ex. \8. 1\) . the primitive 6$ can be defined as (0, 0) (where, in the first component, 
the symbol denotes the function defined over the empty set). Moreover, we 
define v% by: f|(J- v ) := -L v and by f|((/,c)) := p(f',c') where f := f[x ^ x] 
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I* 



Z£/J(<S)~J_ I(;) , 

Z G 0(S) ~ 4 n (. . . (J X1 (e )) . . .), (where {x u . . . , x n } := 1(0) 

(a) Initial configuration abstraction. 

Let Z? and Zi be two program point labels in £, such that type(Z?) G 
{input, fetch} , type(Zi) = output, and such that the length of the lists arg(Z?) 
and arg(Zi) is the same. We denote [y\, . . . , y n ] = arg(Z?) and [x\, . . . , x n ] — 
arg(Zi). Let (<~, A) G CONTEXt(Z?, Zt) be a partition case and ENV G C| nv be an 
abstract element. 
We define: 

• INPUT := env(Z?) and OUTPUT := ENV(Zi); 



• INPUTi : = 



{fetch(Zi, inpuTq) whenever type(Z?) = fetch, 
INPUTq otherwise; 



• INPUT3 := v\ o (. . . (J Ui (NEW,„ (. . . (NEW W (INPUT!)) . . .))) . . .) 

where {uf, ...;u }:= {\J{l(l) I 1 £ /?(cont(Z ? ))}) \ f v(cont(Z?)), 

• OUTPUT3 := v\ p {. . . (^(oUTPUTo)) . . .), 

where {v\; ...;v p }:= {{J{l(l) \ I G /3(cont(/i))}) \ f v(cont(Zi)); 

• molf) := INPUT3 • OUTPUT3; 

• cons := com U part = U part^ U partm, where: 

com := {(chan(Z ? ), ?) = (chan(/i), !)} U {{y k , ?) = (x k , !) | 1 < k < n}, 

part = := {(getvar(Zi)(6), Oi) = (getvar(Z 2 )(6), o 2 ) | (h,Oi), (Z 2 ,o 2 ) G 
T{h,h), beB, (Zi,<>i)~(l2,02)}, 

part^t ■= {(getvar(Zi)(&),Oi) = (getvar(Z 2 )(6), o 2 ) | {h,Oi), (Z 2 ,o 2 ) G 
T{h,h), (Zi,Oi)/(i 2 ,<>2), B s = {b}}, 

part lbl := {lbl((getvar(Z)(6),o), i4([(Z,o)]„)(6)) | (Z,o) G T(Z ? ,Z,)}; 

• moZi := SYNC(cons, mokf); 

• POST env (ENV,((Z ? ,Z!),(~,A))) : 



where env' := 



J-env if moh = -L ( v,,v,)) 

U onv {ENV; env'} otherwise, 

Z 1 > GC(I(Z), FST(moZi)) whenever Z G /?(cont(Z?)), 
Z h-> GC(I(Z), SND(moZi)) whenever Z G /3(cont(Zi)), 
Z 1 ► otherwise. 

(b) Abstract POST operator. 

Figure 2: Environment analysis. 
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and d := cU{(.t,^,o) | a £ V}. This means that we know that the channel has 
been opened by an instance of a restriction (v x) and we know that this value is 
fresh. Then, we apply our closure p. □ 



The abstraction 2| nv £ C| nv of initial state is defined in Fig. 2(a) as the func- 
tion that maps any program point I to the abstract element v\ (. . . \y\ (e©)) . . .) 
whenever I £ 0(S) and {x\\ . . . ; x n } :— 1(7); an d to the abstract element -Lx(i) 
otherwise. 



Example 8.3 (the shared memory (cont.)) We apply our analysis with the 
simple cfa abstract domain (e.g. see Ex. \8.1\) on the shared memory system 
(e.g. see Ex. \4-l\ )- We obtain that: 2f nv (l) = p([alloc i— > alloc, null *—> null],0), 
2|n V (12) = p([rec 12 h-> reci 2 ],0), J| nv (12') = p( [alloc h-> alloc, reci 2 h-> reci 2 ],0), 
and 2f nv (Z) = ± 1{l) for any I # {1; 12; 12'}. □ 

8.3 Transition step 

In the concrete, an interaction involves two threads: at a program point 
labeled with I? and t\ at a program point labeled with h. The first thread either 
inputs a message or fetches a resource; the second thread outputs a message. 
We simulate such a transition r in the abstract in Fig. |2(b)[ We start from the 
abstract element env £ C| nv and we define the pair (~, A) £ context^?, h) as 
0!step(t). 

Example 8.4 (the shared memory (cont.)) We apply our analysis with the 
simple cfa abstract domain (e.g. see Ex. \8.1]) on the shared memory system 
(e.g. see Ex. \4-l\ l- As an example, we focus on the interaction between a thread 
at program point 5 and a thread at program point 10 in any calling context 
(~,A) £ CONTEXT^?, h). We also assume that the element env(5) is equal to 
p([cell i ► {cell} , fwd >-> {return }],0) and that the element env(IO) is equal to 
p([cell i — ► {cell}, vat ^ {data}},®). 
We want to prove that: 

• both that interact and the thread that is launched at program point 6 belong 
to the same partition class (i.e. (5,?) ~ (6,?), (5,?) ~ (10, \)); 

• the thread that interacts at the program point 5 and the thread that is 
launched at the program point 7 do not belong to the same partition class 
(i.e. (5,?)/(7,?); ; 

• and that the abstraction of the computation unit of interacting threads is 
[b ^ cell] (i.e. A{[(5, ?)]„)(&) = cell). 

Then, we want to abstract the environment of the thread that is launched at 
program point 6. □ 
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8.3.1 Extending environments 

First, we collect information about the potential binding of the threads i? and 
t\. We denote by input the element env(Z?) and by OUTPUT the element 
env(Zi). In the concrete, a new thread marker is computed when the input 
thread is a resource. We require a primitive FETCH to simulate the allocation 
of this fresh marker in the abstract. For any set V C V of variables, any 
abstract element a E Atom(V), and any label I E C, the abstract element 
FETCH(7,a) E Atom(V) satisfies: the concretization "f v (fetch(/, a)) contains 
at least all pairs (l.id,E) E £(V) such that (id,E) E r y v (a). 

Example 8.5 (labels and equalities (cont.)) In our simple cfa domain (see 
Ex. \ 8.1\) . we do not track any information about thread markers. So we define 
the element fetch(Z, a) as a. □ 

Then, we define INPUTi as fetch(/|, input ) whenever the thread t? is a 
resource (i.e. if type(/?) = fetch), and as INPUT otherwise. 

Example 8.6 (the shared memory (cont.)) In our example, we have: 

INPUTi = p([cell h-» {cell}, fwd^ {return}}, 9) and 
OUTPUTo = />([cell t-> {cell}, vat i-> {data}],®). 

□ 

We now extend the environments to deal with the variables introduced dur- 
ing the interaction. In the concrete, the threads t? and t\ bind some new vari- 
ables to some names. The sequence [y\, . . . ,y n ] := arg(Z?) is the sequence of 
the variables that are bound by name passing. We use an abstract primitive 
NEW to create these variables without any information about them. For any set 
V C V of variables, any variable x E" V , and any abstract element a E Atom(V), 
the abstract element NEW x (o) E Atom(V L) {x}) satisfies: {(id,E) E £ (V U 
{x}) | (id,E\ v ) E 7y (a)} C j Vu{x} {NEW x (a)). 

Example 8.7 (labels and equalities (cont.)) We can define the primitive 
new by NEW x (_L y ) := _L V and by NEW x (/,c) := (f[x i-> £},c). □ 

Thus, we define input 2 by new^ (. . . (new Vi (inputi)) . . .). The set of 
the variables that are bound by name restriction in the thread f? is given by 
{u%; . . . ; u } := (U{l(0 I I G /3(cont(Z?))})\fv(cont(Z?)), whereas the one in the 
thread t\ is given by {v\, . . . ; v p } := (\J{l(l) \ I E /3(cont(Zi))}) \ f v(cont(Zi)). 
We introduce these variables thanks to the primitive zA We define INPUT3 :— 
v\ o (. . . {v\ x (1NPUT2)) . . .) and OUTPUT3 := v\ (. . . {v\ x (output )) . . .). 

Example 8.8 (the shared memory (cont.)) In the shared memory exam- 
ple, the variable val is bound during the communication. Moreover, since no 
variable is bound by a name restriction, the abstract element INPUT3 is equal to 
p(f, 0) where f = [cell 1— > {cell}, fwd 1— » { return } , val 1— > C\, and the abstract 
element OUTPUT3 is equal to p([cell 1— > {cell}, vat 1— > {data}],0). □ 
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To get precise relations between the binding of former variables and the 
binding of the variables bound by the communication, we gather the two de- 
scriptions INPUT3 and OUTPUT3. For that purpose, we assume that we are given, 
for any subset of variables V?,V\ C V, an abstract domain MoleculeiVt ,V\) of 
properties about sets of pairs of marker/environment pairs. Each property in 
Molecule(Vr,V\) is related by a concretization function 7,^ v ^ to the elements 
of p(£(V?) x £(V\)) which satisfy this property. We also introduce an element 
-L(v,,v,) tnat satisfies 7^ v ^(± (v?Vi) ) — 0. The domains Atom(V?), Atom(V\), 
and Molecule(V?,V\) are related by the following primitives. The primitive • 
simulates pair construction. For any a? G Atom(V?) and any a\ G Atom(V\), the 
element a? • a\ G Molecule(V-> , Vt) satisfies: 7y ? (<z?) x 7^ (at) C 7^ vi)( a? * a 0; 
the primitives fst and SND abstract the projection functions: for any a G 
Molecule(V?,V\), the elements fst(&) G Atom(V?) and SND(a) G Atom(V\) sat- 
isfy 1 ^(v,.y ] )( a ) <^7v ? ( FST ( a )) x 7vi( SND (°))- 

Then, we gather the two properties thanks to the abstract product •. We 

define mofo as input 3 • OUTPUT3 . We denote by (V?, Vi) G p(V) 2 the pair of 
sets of variables such that mol G Molecule(V?,V\). The element molo abstracts 
a set of pairs ((id?,E?), (id\,E\)) G £(V?) x £(V\). We introduce some formal 
variable to denote the channel names that are bound either in the environment 
£?, or in the environment E\. We introduce the set Var(V?,V\) := {(«,?) | v G 
V?} U {(v, !) I v G V\} of formal variables. 

Example 8.9 (labels and equalities (cont.)) We can define the abstract do- 
main Molecule(V?,V\) as T n (Var(V? ,V\)) . The concretization 7 v y? ^ maps eac/i 
abstract element a to the set of pairs (id?, £?), (id\,E\) such that the map [(x, ?) 1— » 
E?(x), (x, !) 1 ► belongs to 7r n (var{v-,M))( a )- ^ e bottom element _L (V? Vi) 

can 6e defined as A- :F t Var t Vl Vl \\. 

The primitive fst maps T (v? v , to _Ly ? and any other element (/, c) to toe 
element ([x G V? h- > /(a;, ?)], {(a;, o, y) | ((x, ?), o, (y, ?)) G c}). T/ie primitive 
SND maps _L (V? V|) to 1 K and any other element (/, c) to toe element ([x G 
Vi 1 > /(a;, !)], {(a;, o, y) \ ((x, !),❖, (y, !)) G c}). T/ie abstract product is defined 
h V : -Ly, • ei = e? • Ty, = T (v?|Vi) and (/?,c?) • (/i,C|) := (/',c'), w/iere 
/' := [{x,i) i-> fi{x)\ andc' := {((x, i), o, (y, i)) \ (x, o, y) G c;}. □ 

Example 8.10 (the shared memory (cont.)) In our example, the abstract 
element molo is equal to p(f, 0) where the function f is defined as the following 
function: 

'(cell,?) 1 ► {cell}, 
(fwd,l) 1 — ► {re torn}, 
< (val, ?) 1 — ► C, 
(cell,!) 1 ► {cell}, 
(vat, !) 1 ► {data}. 

□ 
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8.3.2 Collecting new constraints 



Now, we collect the set cons of all the constraints that we have about the 
environments E? and E\ . The formal variable (v, ?) denotes the value a(v, ?) := 
Ei(v) of the variable v in the input thread and the variable (v, !) denotes the 
value <j(v, !) := E\{v) of the variable v in the output thread. We consider three 
kinds of constraints: the constraint v\ — vi where v\,V2 £ Var(V?,Vj) means 
that the formal variables v\ and V2 denote the same channel name: we write 
p \= Vi = V2 if and only if a(v\) = o~{v2)', the constraint v± ^ vi is the negation 
of the constraint v\ — V2- we write p \= Vi ^ V2 if and only if cr(wi) ^ o~(v2); the 
constraint \bl(v,l), where v £ Var(V?,V^) and / £ C means that / is the label 
of the name that is denoted by the formal variable v: we write p \= lbl(u, I) 
if and only if <r(v) matches (I,-). We denote by Constraints^ ,V\) the set of 
all such constraints. First, we collect the constraints due to communication: 
the constraint (chan(7?),?) = (chan(Zi),!) encodes the fact that both threads 
interact over the same channel and the set {(yfe,?) = | 1 < k < n} of 

constraints encodes name-passing. Now we consider the constraints given by 
~: for any pair (Zi, Oi), (h,^) £ such that (h,Oi) ~ (^2,02), the set 

of constraints {(getvar(Zi)(6),Oi) = (getvar(? 2 )(&), o 2 ) | b £ B} encodes the 
fact that the threads that are denoted by the pairs (Zi,<>i) and (^2,02) share 
the same computation unit; conversely, when B s is not a singleton, we cannot 
extract constraints from non-equality among computation units, but when B s 
is a singleton {&}, for any pairs (/i,Oi), (^2,02) £ T{hJ<) such that (Zi,Oi) 9^ 
(^2, 02), the constraint (getvar(Zi)(6), ©1) ^ (getvar(7 2 )(6), ©2) encodes the fact 
that the threads that are denoted by the pairs (h,Oi) and (^,©2) are not in the 
same computation unit; last, for any pair (I, ©) £ T(h, the set of constraints 
{lbl((getvar(Z)(6),©),A([(/,©)]^)(6)) | b £ B} models the fact that A([(l,e)]„) 
is the abstract computation unit of the thread denoted by the pair (/,©). 

Example 8.11 (the shared memory (cont.)) In our example, we get the 
constraint set com U part = U part^ U part m , where: 

com = {(cell, ?) = (cell, !); (val, ?) = (vat, !)}, 

and part—, part^, and part lbl are defined as in Fig. \2(b)\ (they depend on the 
pair (~,A)). □ 

We can now define mol\ as SYNC ( cons, molo), where the primitive SYNC 
is used to enforce some constraints in abstract elements. For any set C £ 
Constraints(V? , Vj) of constraints and any abstract element a £ Molecule(V? , Vi), 
the element SYNC(C, a) £ Molecule(V? , V\) is such that the set 7,^ ^ (sync(C, a)) 
contains at least all pairs p — ((id?, E->), (id\, E\)) that satisfy bothp £ 7(v ? ,Vi)( a ) 
and Vc £ C, p \= c. 

Example 8.12 (labels and equalities (cont.)) We can define the primitive 
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SYNC as follows: 

JsYNC(cons,_L (v?Vi) ) := -L (v? ,v,)> 

|sYNC(cons, (/,c)) := p(f',cU {(x,o,y) \xoye cons}), 

x i — ► f(x) whenever $1, lbl(v, I) E coks, 
w/iere /'=<ih {1} whenever \3l, lbl(v, I) E cons, 

^ x i > otherwise; 
We stress that the normalization step is crucial to propagate information, and 
especially to detect unsatisfiable constraints. □ 

Example 8.13 (the shared memory (cont.)) First, we prove that the in- 
teraction is not possible as soon as (5, ?) (6, ?), (5, ?) </> (10, !), (5, ?) ~ (7, ?), 
or A([(5, ?)]„)(&) 7^ cell: 

• If (5,7) 9^ (6,?), we /icwe (cell,?) ^ (cell,?) E part^. Then, mol\ = 
-L(v ? ,v ! ) ■ 

• 1/(5,?) 9^ (10,!), we ftaue (cell,?) ^ (cell,!) e part^. But (cell,?) = 
(cell,!) E com. Then, mol\ = _L (V? Vi) . 

• If (5,?) ~ (7,?), we have (cell,?) ~ (fwd, ?) E part—. Then, mol\ 
matches p(f, c) with (cell, ?) ~ (fwd, ?) E c, /(cell, ?) = {cell}, and 
f(fwd,l) = {return}. Since /(cell,?) n /(/we?,?) = %, we have mol\ = 

-L(v,,v,)- 

. If A([(5,?)U)(b) ± cell, {lbl((cell,?),A([(5,?)U(b)} E part m . Then 
moh matches p(f,c) with /(cell,?) = {cell} n {^([(5, ?)]~)(6)}. So 
moh = -L ( v 7 ,v,)- 

[/nfi/ t/ie end of the section, we assume that: (5,?) ~ (6,?), (5,?) ~ (10,!), 
(5,?)/ (7,?), and A([(5, ?)]„)(&) = cell. 
W^it/i t/iese assumptions, we have: 

• com = {(cell, ?) = (cell, !); (val, ?) = (vat , !)}, 

• part = = {(cell, ?) = (cell, !); (cell, ?) = (cell, ?)}, 
. part^ = {(cell,l)^(fwd,l)}, 



Part m = 



J lbl(cell, ?), cell); i6/((cell, !), cell); 



lbl((fwd, ?),A([(7, ?)]„)) 



Then, moh = p(f, com U part = U part^) where the function f is defined as 

(cell,?) i ► {cell}, 
(fwd, 7) i — ► {return}, 
(val, ?) i — ► C, 
(cell,!) i ► {cell}, 
(vat,\) i > {data}. 
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Since the constraint (vat, I) = (val,l) belongs to the set com of constraints, we 
can deduce that the abstract element mol\ is equal to p(f ', comU part = Upart^), 
where f = f[(val, ?) i-> {data}}. □ 

8.3.3 Updating the abstract element 

Whenever we have mol\ — _L (V? Vi) , the constraints are not satisfiable, so we set 
POST env (ENV, ((/?, It), (~, A))) := J-cnv Otherwise, we first separate information 
about the input and the output threads, then we update the information about 
the threads that are launched. For that purpose, we use a primitive GC to 
simulate garbage collection: for any sets X, V of variables such that X C V, and 
any abstract element a 6 AtomiV), the abstract element GCx{a) 6 Atom(X) 
satisfies the property {(id,E\ x ) £ \ (id,E) e 7 y (a)} C j x (GCx(a)). 

Example 8.14 (labels and equalities (cont.)) The primitive GC can be de- 
fined by GCx(-L v ) := ± x and h V GC x(f, c) := (f\x, c n X x {=; ^} x X). □ 

We define the element POST en v(ENV, ((£?, l\), (~, A))) by U 011V {env; env'}, 
where ENV'(/) := GC(l(Z), FST(moZi)) whenever the label I belongs to the set 
/3(cont(/?)), env' (7) := GC(I(Z), SND(ttioZi)) whenever the label I is in the set 
/3(cont(/|)), and env' (7) := J-i(;) otherwise. 

Example 8.15 (the shared memory (cont.)) In our example, the function 
env' satisfies: env'(6) is equal to the element p(f, 0), where f = [(cell,?) i— > 
{cell}, (val,?) i— > {vaf}}. This is a precise abstraction of the environment of 
the thread that is launched at the program point 6. 

8.4 Soundness 

Thm. [8d6l states the soundness of our environment analysis. 

Theorem 8.16 (C| nv , U cnv , ± cnv , 7 onv , X| nv , POST env , V onv ) is an abstraction. 

9 Contents analysis 

Contents analysis counts both the number of threads inside each computation 
unit and the number of computation steps in the history of computation units. 
Its main goal is to detect mutual exclusion of threads inside computation units. 

9.1 Abstract domain 

Let K be the set of variables {x x \ I £ £} U {y x | A 6 C 2 } U {z x | A £ C 2 }. We 
use these variables to abstract both the contents and the history of computation 
units. Given a computation unit: the variable xi counts the occurrence number 
of threads at the program point / in this computation unit, the variable y\ 
counts the number of computation steps labeled with A that have modified this 



22 



computation unit, and the variable z\ is equal to 1 if at least one computation 
step labeled with A has modified the contents of this computation unit and is 
equal to otherwise. 

We assume that we are given an abstract domain M(K) to abstract func- 
tions in /C — > N. Each abstract property is related to the set p()C — ► N) by 
a concretization 7aT(jc)- An operator LI^OC) maps each finite set of properties 
to a weaker property: for each finite set A C p(VV(X)), Va G A, 7A/"(K)( a ) £ 
lj\f(K.){^Af{K)A)- The element -Lj^rjQ is the abstraction of the empty set (i.e. we 
have 7a/'(X)(-I-a/'(X)) = The operator V C on is a widening |16j . Then, our 
main abstract domain C| on is the set unit* — > Af()C) of the functions mapping 
each abstract computation unit to an abstraction of its contents. The struc- 
ture (U con , -Leon, and Vcon) is defined point wise. We define the concretization 
7con(cu) of any abstract element CU G C| on as the set of all configurations C G C 
such that for any concrete computation unit u G unit, Cu(o; unit (m)) is an ap- 
proximation of the contents of u. More precisely, we require that there exists a 
map n G 7coN(cu(a UNIT (it))) such that V7 G £, the number of threads in C at 
the program point I in the computation unit u is equal to n(xi). We also require 
that, for any A G C 2 , we have n(z\) = 1 whenever n(y\) > 1, and n(z\) = 
otherwise (we require no further properties about the variables y\ and z\). 

Example 9.1 (interval and affine constraints) We propose to use a reduced 
product between the interval domain \12f and the affine equality domain \27j . 
This way, our abstract domain expresses constraints either of the form a < v < 
b, or of the form ^ Ofe-^fc = b. Interval constraints (of the form a < v < b where 
a, b G N and v G K.) express properties of interest. Affine equalities (of the form 
X) a-k-Vk = b where a%, . . . ,a n ,b G Q, and v\, . . . , v n G K, express more complex 
properties, such as mutual exclusion. This allows for more precise calculations 
in the interval domain. Moreover, affine equalities capture relations when some 
threads are created and some others are consumed. To get a good precision, we 
need to avoid undetermined forms (when two unbounded values are subtracted) 
as much as possible. So, we use the approximate reduced product given in 122\ 
Chap. 9], in which each primitive can be computed in 0(Card(IC) 3 ) operations. 
Thus, we get a polynomial analysis. 

Other domains could have been considered. The polyhedron domain |77| / is 
too expensive. The octagon domain ]3(A WTj cannot express the affine invariants 
that are required when dealing with semaphores that both involve more than two 
agents and several tokens. Abstract multi-sets [32, 331 are exponential in time. 
□ 

Example 9.2 (the shared memory (cont.)) We apply our content analysis 
on the example of the shared-memory (e.g. see example \4-l\ ) with the reduced 
product of intervals and affine equalities (e.g. see examvle \9.1\) . We denote by 
CU the result of our analysis. The constraint system cu(cell) describes the 
usage of channels opened by the instances of the restriction v cell. Our goal 
is to prove that the system cu(cell) entails both the affine equality constraint 
X2 + %6 + x io = 2/i,i3 and the interval constraint < 2/1,13 < 1. This means 
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that either the channel has not been opened yet (i.e. 2/1,13 = 0), or the channel 
has been opened (i.e. 2/1,13 = 1) and there is exactly one output over it at the 
program point 2, 6, or 10 (since x 2 + x§ + x\q = X). □ 

Now, we simulate the non-standard semantics in the abstract. 



9.2 Initial state 

At the beginning of the concrete computation, each variable x is bound to the 
name (x,s). Besides, the configuration contains one thread at each program 
point the label of which is in the set (3(S). Thus, a thread at program point I 
is in the computation unit [b 1— > (getvar (/)(&), e)\. So, at the beginning of the 
computation, a computation unit u is either empty, or it contains a thread at 
each program point I £ (3{S) such that a UNIT (u) = getvar(/). In the abstract, we 
introduce a primitive XM(JC) S p(%) ~ * Af(fC). For any set A G p(]C), we denote 
by x(^4) the characteristic function of A which maps any variable v € fC to 1 
whenever v € A, and to otherwise. We require that x(A) G 7con(xtV(k:)(^))- 

Example 9.3 (interval and affine constraints (cont.)) In our abstract do- 
main, the primitive XN(fc) maps any set A C K, of variables, to the set of con- 
straints {v^\\v£K.}\J{v^O\v^lC}. □ 



The abstract state I'on is defined in Fig. 3(a) as the function mapping any 
abstract computation unit a G unit' to the element Uj^(ic){Xj^(!C)({xi | I € 
0(S), getvar(Z) = a}); X N{K) (0)}- 

Example 9.4 (the shared memory (cont.)) In the shared memory example 
(e.g. see Ex. \4-l\ ), the abstract element Icon * s equal to: 

'alloc i-> {0 < ati < 1} U {v = | Vw G JC \ {xi}}, 
rec 12 ^ J ° " Xl2 ~ 1 1 u {v = | Vv G K \ {x 12 ; x 12 ,}}, 

{ X12 = Xi2> J 

!->{?) = 0,Vi> e /C}; 

since we have: (3(S) = {1,12,12'}, getvaril) = alloc, and getvar{Y2) = 
getvar{12') = recn- □ 



9.3 Transition step 

We consider an abstract element CU G C| on , two program point labels /? and 
It, and a transition sub-case (~,A) G CONTEXt(I?, h). We simulate in the 
abstract any computation step r that matches C-^C, where A = ((/?,/]), (~ 
,A)) (e.g. see Fig. [3(b)). 

Example 9.5 (the shared memory (cont.)) As a running example, we sim- 
ulate an interaction between a thread at the program point 5 and a thread at the 
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4on : = [« ^ ^U(K){XM(K){{xi | I G /3(5) | getvar(Z) = a}), XjV(jg(0)}]- 

(a) Initial configuration abstraction. 

Let I? and h be two program point labels in C, such that type(7?) G 
{input, fetch} , type(Zi) = output, and such that the length of the lists arg(7?) 
and arg(Zi) is the same. Let G CC>ntext(7?, h) be a partition case and 

CU G Ccon be an abstract element. We define POST CON (cu, ((I?, h), (~, A))) 
by l con , whenever there exists o G {l?;l\} such that SYNC CO n([(Zo, o)]~ H 
{(7?, ?); (ii, !)})(cu(A([(Z ,o)]^))) = ±x(K)\ otherwise, we define it by [a i-> 
u A^(K){cu(a)} U {contenti{P) \ P G (T(i?,Zi))^, A(P) = a}], where, for any 

. oZd(P) :=Xa^)(0), 

whenever {getvar(7)(&) G I(Z)\f v(cont(Z<>)) | (l,o) G P, b G P} ^ 0, or 

• SYNC CO N(-Pn{(Z?,?);(/|,!)})(cu(A(P))), otherwise; 



consumed? (P) := 



consumed\{P) :- 



I {Z?} whenever type(Z?) = zryrai and (Z?, ?) G P, 

10 otherwise ; 

{Zi} whenever (Zi, !) G P, 

otherwise; 



• created?(P) := {I \ I ^ I?, (I, ?) g P} and created(P) :={l\l^U, (I, !) g 

Ph 



contento(P) := old(P) — " (xu{K){ consume d? U consumed)) +" 
(XA/"(/e) (created? U created))); 

• contenti(P) := update-trans(l?,l))(contento(P)). 

(b) Abstract POST operator. 

Figure 3: Contents analysis. 
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program point 10. We start from an abstract element CU such that the sys- 
tem Cu([6 i— > cell]) is made of both the constraints x 2 + xg + x w = 2/1,13 and 
0<yi,i3<l- 

We set I? — 5 and h — 10. Thanks to the control flow analysis, we only take 
into account the transitions where (5,?) ~ (6,?), (5,?) ~ (10,!), (5,?) rf> (7,?), 
A([(5, ?)]^)(6) = alloc, and A([(7, ?)]^)(fe) = return. Indeed, results coming 
from the other cases are ignored thanks to the coalesced product (e.g. see \7.3\ ). 
□ 

9.3.1 Is the step possible ? 

First, we check whether the computation step is possible, or not. Whenever 
we have (Z?,?) ~ (Zt, !), there must be a computation unit u in C such that 
both a vmT (u) — A([(fo,7)]^) and u contains at least one thread at the pro- 
gram point h and one thread at the program point Ir, whenever we have 
(7?,?) 9^ (/|, !), there must be two computation units u? and mi such that: for 
any o S {?;!}, «unit( u o) = A([(l ,o)]^) and u contains at least a thread at 
the program point l . To check these properties, we require an abstract prim- 
itive SYNCcon £ p(/C) — > M{K) — > Af(K) to check whether some variables may 
simultaneously take a non-zero value. For any set I of variables and any ab- 
stract element a e N{K), the set {/ e "ljsf(K){ a ) | Vu G I, f{v) > 1} should be 
included in the concretization 7 J \z-(^(SYNCcoN(-f)(a))- If there exists o £ {?; !} 
such that synCcon ([(^o,o)]~ H {(/?,?); (Zi, !)})(cu(A([(Z<>, o)]~))) is equal to the 
bottom element _Ljv"(x;)! the computation step is not possible, so we define 
POST C0N (cu, ((/?, (~, A))) as J-con- Otherwise, we update the abstraction 
of any computation unit involved in the computation step. 

Example 9.6 (the shared memory (cont.)) We know that i) (5, ?) ~ (10, !) 
and ii) A([(5, ?)]~) = [b i— > cell]. IVe compute t that is defined by the expres- 
sion SYNC CO n({(5, ?); (10, !)})(cu([6 i— > cell])). TTie system t is equivalent to 
the system: 

|x 5 > 1, X 10 > 1, X 2 +X 6 + Xxo = J/1,13, < 2/1,13 < 1- 

reduction, we obtain that t is equivalent to the system: 

{^5 > 1, 2/1,13 = xw = 1, xe = X2 = 0. 

This means that the interaction is only enabled when the cell has already been 
created (2/1,13 = 1 ) and when both interacting threads are in the computation 
unit (X5 > 1 and x±o = X). In this case, there is no thread at either the program 
point 2, or at the program point 6 (xq — X2 = 0). 

9.3.2 Abstracting the former contents of partition classes 

Let us consider a class P G (T(Z?, Zt)),^. The class P denotes a computa- 
tion unit u that is transformed during the computation step. We first com- 
pute an abstraction old(P) of the contents of u before the computation step. 
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In the case where there exists a pair (l,o) G P and a key b G B such that 
getvar(Z)(6) G 1(1) \ f v(cont(Z<>)), the computation unit maps a key to a fresh 
name, so we can deduce that the computation unit u has been created during 
the transition step. In such a case, we define old(P) as XAf(/e)(0)- Other- 
wise, we take into account the abstraction of the computation unit and the 
threads that are required to enable the computation step: we define old(P) as 
SYNC CON (P n {(/?, ?); (h, !)})(cu(A(P))). 

Example 9.7 (the shared memory (cont.)) First, we compute the contents 
of partition class [(5, ?)]^ before the computation step. The element old([(5, ?)]^) 
is equal to SYNC CON ([(5, ?)]~ f~l {(5, ?); (10, !)})(cu(A([(5, ?)]~))), so the system 
old([(5, ?)]~) contains the constraints x 5 > 1, x w > 1, x 2 +x 6 +xi = 2/1,13, and 
< 2/1.13 < 1- ^2/ reduction, we obtain that the system old([(5, ?)]~) is given 
by the constraints X5 > 1, 2/1,13 = £10 = 1, #6 = £2 = 0. This means that the 
interaction is only enable when the cell has already been created (2/1,13 = 1) and 
if the interacting threads are in the computation unit (x^ > 1 and = xio = 1). 
In such a case, there is no thread at the program point 2 or at the program point 
6 (x 6 = x 2 = 0). □ 

Example 9.8 (the shared memory (cont.)) We now consider a case when 
a computation unit is necessarily empty. We simulate an interaction between 
a thread at the program point 1 and a thread at the program point 13. This 
way, we set h = 1 and l\ = 13. Thanks to the control flow analysis, we only 
take into account the transitions where (/?,?) ~ (^!,?) and A([(l?, ?)]^)(6) = 
alloc. The interaction launches a thread at the program point 2. But, we have 
getvar[2)(b) = cell, 1(2) = {cell; null}, and fv(cont(l)) = {null; add}. So 
cell G 1(2) \ fv(cont(l)). Thus we can conclude that old([(2,?))^) is equal to 
XAf(K){®)- This way, the thread is launched in an empty computation unit. □ 

9.3.3 Abstracting the evolution of partition classes 

Then, we compute the set of labels of the threads that are created and consumed 
in the computation unit u. The input thread is consumed in u only if it is not 
a resource and if it was in the computation unit u: so we define consumed-? (P) 
as {h} if both type(Z?) = input and (/?, ?) G P, and as otherwise. The output 
thread is always consumed (we only check whether it is in u, or not): so we 
define consumed\(P) := {l\} if (Zi,!) G P, and consumed\(P) :— otherwise. 
The threads that are created during the computation step are dealt with the 
same way: we define created <> (P) :— {I \ I ^ l , (l,o) G P}, for any o G {?; !}. 

Example 9.9 (the shared memory (cont.)) In our running example, the 
set consumed?([(5,?)]r^) is equal to {5}, the set consumed\([(b,l)]rS) is equal 
to {10}. Since the constraints (5,?) ~ (6,?) and (5,?) 7^ (7,?) are satisfied, 
we can deduce that the set created? ([(5,?)}^) is equal to {6}. Last, the set 
created\([(5, ?)]~) is empty. □ 
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The abstraction content^ (P) of the contents of the computation unit u af- 
ter the computation step can then be defined as old(P) — " (xM(K) (consumed? U 
consumed)) +" (XJS(K)( created? U created)), where +" and — * are sound coun- 
terparts to the point wise addition and to the point wise subtraction. More 
precisely, for any a, b e J\f(JC) and o e {+; — }, we have: ao'de A/"(/C), and the 
concretization "fN(K.){ ao ^ b) contains at least all functions [v i— > f(v) °g(v)] such 
that: / e 7A^(/C)(a), 9 € 7Ar(/c)(&)> and for any u e /C, /(x) o g(x) > 0. 

Example 9.10 (interval and affine constraints (cont.)) The primitives +' 
cm<i — " are &o</i computed pair-wise over the system of affine constraints and 
over the system of interval constraints. More details can be found in J2SI 
Chap. 9, Sect. 9.3.1].. □ 

The last step consists in updating the local history of computation units. 
We introduce a primitive update_trans 6 C 2 — > N(JC) — ► J\fQC). The function 
update_trans(X) increments, in the abstract, the value of variable y\ and sets 
the value of variable z\ to 1. So, for any function / £ 7A/'(JC)( a )i the function 
<7 that maps 2/a to f{y\) + 1, to 1, and any other variable v to f(v) should 
be an element of the concretization ^ij^f^(update-trans(X)(a)). Thus, we define 
contenti(P) as update-trans(h,l\)(contento(P)). 

Example 9.11 (interval and affine constraints (cont.)) We can define the 
primitive update_trans(\) by using the usual transfer functions for assignments 
in interval constraints (e.g. see and in affine equalities (e.g. see \2T$ ). □ 

Example 9.12 (the shared memory (cont.)) In our running example, the 
system contento([(5, ?)]~) is given by the constraints x§ > 0, 2/1,13 = 1, xiq = 0. 
xq = 1, X2 = 0. Then, contenti([(5, ?)]~) is given by the constraints x$ > 0. 
2/1,13 = 1, xio = 0, x 6 = 1, x 2 = 0, 2/5,10 > 1, and z 5 ,w = 1. □ 

9.3.4 Updating abstract elements 

We are left to update the abstraction of the computation units whose abstract 
computation unit is A(P). We define, for any a <E unit 1 *, post con (cu, ((h,l\), (~ 
, A)))(a) as U/v (;c) {cu(a)} U {contenh(P) \ P G (T(k,l\))~, A(P) = a}. 

Example 9.13 (the shared memory (cont.)) We recall the fact that the sys- 
tem cu([& 1 — ► cell]) entails the affine constraints X2+xq+xio = 2/1,13 and the in- 
terval constraint < 2/1,13 < 1. The class P = [(5, ?)]^ is the only one such that 
A(P) = [&(—> cell]. Moreover, the affine constraints X2 + Xq + xiq = 2/1,13 and 
the interval constraints < 2/1,13 < 1 are also entailed by the system content\(P). 
The analysis discovers that these constraints are invariant. □ 

9.4 Soundness 

Thm. (HUD states the soundness of our content analysis. 
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Theorem 9.14 (C| „, U co „, _L co „, 7 con ,2| on , POST co „, V co „) is an abstraction. 

10 Conclusion 

We have proposed a generic framework for statically inferring properties of mo- 
bile systems. This framework is based on thread partitioning: we gather the 
threads of a mobile system into several classes. The criterion of thread parti- 
tioning is left as a parameter. We use the product of an analysis of the dy- 
namic linkage between the threads of a system and an analysis of the number of 
threads inside each partition class. As a result, we get a polynomial-time (with 
respect to the length of the initial state) analysis, which succeeds in proving 
the absence of race conditions in a shared memory written in the 7r-calculus. In 
|221 Chap: 10], we propose a version of this framework for the a77i6ien^-calculus 
(see. Sect. 10.2), and a model independent version (see. Sect. 10.3). We suc- 
ceed in proving authentication properties in a version [38) of the Woo and Lam 
one-way public-key authentication protocol that is written in the spz-calculus 
(I]. For that purpose, we partition the threads according to the identities of the 
principals that have initiated the session. 

Thread partitioning may also be used in reconfigurable systems to prove that 
the system may not switch to a new version until all components have been 
installed. For that purpose, we may partition threads according to the version 
identifier. As future works, we are also interested in using thread partitioning 
to refine the type checking of authorization policies [23] . 
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